I am using magiclinks and email/password B2C authentication.
What is the best way to get a users current email address embedded in their JWT?
Thanks!
Hi Jeremy,
Thanks for posting!
A Stytch JWT will always have the authentication_factors attribute in the payload (which is viewable if you decode the JWT using any standard library). This means that for Sessions created using Email Magic Links, the authentication_factors attribute will automatically include the user’s email, e.g.
"authentication_factors": [{ "type": "magic_link", "delivery_method": "email", "last_authenticated_at": "2024-02-26T23:15:05Z", "email_factor": { "email_id": "email-test-12345", "email_address": "sandbox@stytch.com" } }] },
This is not the case for Passwords authentication, however, which look something like this in authentication_factors:
"authentication_factors": [{ "type": "password", "delivery_method": "knowledge", "last_authenticated_at": "2024-02-26T23:15:43Z" }]
The best way to add email addresses to JWTs consistenty is likely via Session custom claims: https://stytch.com/docs/guides/sessions/custom-claims. Custom claims let you add arbitrary metadata to a session in JSON form, which will persist in both the Session object and any JWTs minted for that Session. For instance, you might add { user_email: <email_address> }.
You can add custom claims to a Session one of two ways:
- When you’re creating the session - e.g. on the relevant Product’s
/authenticatecall. For instance, you can do this by including thesession_custom_claimsparameter when you call our/passwords/authenticateendpoint. - When you call
/sessions/authenticatewith an existing session (via thesession_custom_claimsparameter as well). This may be less desirable in this case, since you may only have access to the user’s email address when they’re logging in (in the case of Password authentication).
Happy to answer any other questions you might have about this as well!